使用 libwireshark 以编程方式获取 Wireshark 功能 [英] Using libwireshark to get Wireshark functionality programmatically

问题描述

如果我想编写一个使用 Wireshark 功能的脚本，我会使用 tshark.我听说还有一个 libwireshark 可以在用 C 编写程序时使用，但是，在我的一生中，我找不到任何文档！我尝试在wireshark源代码树中隔离库代码，但似乎代码组织得不是很好，并且这种隔离不存在(要么那样，要么我没找到).

我有两个问题:

1. 我是否认为 libwireshark 确实可以用于以编程方式获取我可以从 wireshark/tshark 获得的任何功能?
2. 您能指点我有关该主题的任何文档/教程/示例吗?即使是几个简单的例子也能起到很大的作用.如果做不到这一点，您能否指出我如何在wireshark 源代码树中找到方法的解释?

解决方案

没有

libwireshark 不打算在 Wireshark 本身之外使用，尝试这样做会让你 你自己试图找出出了什么问题.libwireshark 实际上是 Wireshark 数据包分析部分的一部分(称为 epan 代表 Ethereal packet analyzer)，您可以在开发人员指南中看到 并不是 Wireshark 的全部.libwireshark 实际提供的是所有内置协议解析器的主要接口、插件解析器的钩子和完整的数据包解析 API.它依赖于由 Wireshark 的其余部分设置的机制，这些机制不是直接的数据包解析工具，而是使解析器能够完成它们的工作(例如分配释放内存块、处理压缩或加密数据等).

改为编写解剖器.
如果您的项目要以某种方式严格分析网络流量，您可能需要考虑为 Wireshark 编写一个解析器，而不是重新发明 Wireshark 可以为您提供的许多轮子.如果你需要做一些更复杂的事情，比如监控网络流量，然后开始其他任务或自己发送数据，你可能最好使用 tshark 和 shell 脚本，因为你已经这样做了(请记住，在任何情况下都不应该让 tshark 运行很长时间).

如果你真的，真的想直接使用 libwireshark，你将需要以某种方式解决它的所有依赖项(最好通过使它成为一个实际的独立库)并提供它所做的假设关于 Wireshark(或 tshark)实际上正在运行.libwireshark 的代码组织得很好，只是它包含 Wireshark 源代码树下的整个 epan 目录，并根据 Wireshark 还是 Ethereal 时建立的约定进行布局.每个函数的文档在公开可见时都在头文件中提供，并且在每种情况下都在源文件中更深入地提供.还要记住 README.developer 与您拥有的源代码版本一起分发是获得一些提示的好地方(如果您想承担此任务，也可以阅读所有 README.* 文件).>

If I want to write a script that uses Wireshark's functionality, I use tshark. I hear there is also a libwireshark that can be used when writing a program in C but, for the life of me, I can't find any documentation for it! I tried isolating the library code in the wireshark source tree, but it seems the code is not very well organized and such isolation does not exist (either that, or I have failed to find it).

I have two questions:

1. Am I right in thinking that libwireshark can indeed be used to programatically get any functionality I can get from wireshark/tshark?
2. Can you point me to any documentation/tutorials/examples on the subject? Even a few simple examples can go a long way. Failing that, can you point me to an explanation of how I can find my way around in the wireshark source tree?

解决方案

No.

libwireshark is not intended to be used outside of Wireshark itself, and trying to do so will leave you on your own for trying to figure out what is going wrong. libwireshark actually part of the packet analyzing portion of Wireshark (called epan for Ethereal packet analyzer), which you can see in the Developer's Guide is not all of Wireshark. What libwireshark actually provides is the main interface for all of the built-in protocol dissectors, hooks for the plugin dissectors, and the complete packet dissection API. It relies on the machinery set up by the rest of Wireshark for things that are not directly packet dissection tools, but enable the dissectors to do their work (e.g. allocate a deallocate memory chunks, handle compressed or encrypted data, etc).

Write a dissector in stead.
If your project is to strictly analyze network traffic in some way, you might want to consider writing a dissector for Wireshark rather than reinventing the many wheels that Wireshark could provide for you. If you need to do something more complex, like monitor network traffic and then kick off other tasks or send data yourself, you are probably better off using tshark and shell scripting as you already are (keep in mind that you shouldn't let tshark run for extremely long periods of time in any case).

If you really, really want to use libwireshark directly, you will need to resolve all of its dependencies somehow (preferably by making it an actual stand-alone library) and provide for the assumptions it makes about Wireshark (or tshark) actually being running. The code for libwireshark is all well organized, it's just that it consists of the entire epan directory under the Wireshark source tree and is laid out according to the conventions established back when Wireshark was still Ethereal. The documentation for each function is provided in the header files when it is publicly visible, and more deeply in the source files in every case. Also bear in mind that the README.developer distributed with the version of the source code you have is a good place to get a few hints (and you may as well read all of the README.* files if you want to undertake this task).

这篇关于使用 libwireshark 以编程方式获取 Wireshark 功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！